diff --git a/.gitignore b/.gitignore index b11da9243..975b93984 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,4 @@ .DS_Store /modules/ Puppetfile.lock +.tool-versions diff --git a/manifests/profile/fulcrum/app.pp b/manifests/profile/fulcrum/app.pp index 9393119b8..83be50c96 100644 --- a/manifests/profile/fulcrum/app.pp +++ b/manifests/profile/fulcrum/app.pp @@ -26,7 +26,7 @@ 'libreoffice', 'libjemalloc2', 'netpbm-sf', - "openjdk-${jdk_version}-jre-headless", + "temurin-${jdk_version}-jre", 'pdftk', 'qpdf', 'shared-mime-info', diff --git a/manifests/profile/fulcrum/fedora.pp b/manifests/profile/fulcrum/fedora.pp index 0c5060571..ddc967cc4 100644 --- a/manifests/profile/fulcrum/fedora.pp +++ b/manifests/profile/fulcrum/fedora.pp @@ -8,37 +8,47 @@ String $fedora_username = 'fedora', String $fedora_password = lookup('nebula::profile::fulcrum::mysql::fedora_password'), ) { + $jdk_version = lookup('nebula::jdk_version') + # used in erb file + $java_home = "/usr/lib/jvm/temurin-${jdk_version}-jre-amd64" + ensure_packages([ - 'tomcat8-user', + 'tomcat9-user', ]) file { '/etc/sudoers.d/fedora': content => template('nebula/profile/fulcrum/sudoers-fedora.erb'), } + exec { 'create fedora tomcat': + command => '/usr/bin/tomcat9-instance-create fedora', + cwd => '/opt', + creates => '/opt/fedora', + require => [ + User['fulcrum'], + Package['tomcat9-user'], + ], + } + file { ['/var/lib/fedora', '/var/log/fedora', '/opt/fedora', '/tmp/fedora']: ensure => directory, owner => 'fulcrum', group => 'fulcrum', + require => Exec['create fedora tomcat'], ; } - exec { 'create fedora tomcat': - command => '/usr/bin/tomcat8-instance-create fedora', - cwd => '/opt', - user => 'fulcrum', - creates => '/opt/fedora', - require => [ - User['fulcrum'], - Package['tomcat8-user'], - ], + exec { 'chown -r /opt/fedora': + command => '/usr/bin/chown -R fulcrum:fulcrum /opt/fedora', + require => Exec['create fedora tomcat'], } file { '/opt/fedora/logs': ensure => 'symlink', owner => 'fulcrum', group => 'fulcrum', + force => true, target => '/var/log/fedora', require => Exec['create fedora tomcat'], } @@ -46,8 +56,8 @@ archive { '/opt/fedora/webapps/fedora.war': ensure => present, extract => false, - source => 'https://github.com/fcrepo/fcrepo/releases/download/fcrepo-4.7.4/fcrepo-webapp-4.7.4.war', - checksum => '11e06c843f40cf2b9f26bda94ddfe6d85d69a591', + source => 'https://github.com/fcrepo/fcrepo/releases/download/fcrepo-4.7.6/fcrepo-webapp-4.7.6.war', + checksum => '5882d8a4dc8b3817374503dff2043be79d9bbd72', checksum_type => 'sha1', cleanup => false, user => 'fulcrum', @@ -81,7 +91,7 @@ File['/etc/systemd/system/fedora.service'], File['/var/lib/fedora'], Archive['/opt/fedora/webapps/fedora.war'], - Mysql::Db['fedora'], + Service['mysqld'], ], } } diff --git a/manifests/profile/fulcrum/hosts.pp b/manifests/profile/fulcrum/hosts.pp index dbe25b778..8c98986f7 100644 --- a/manifests/profile/fulcrum/hosts.pp +++ b/manifests/profile/fulcrum/hosts.pp @@ -6,6 +6,7 @@ class nebula::profile::fulcrum::hosts ( $fedora = '127.0.0.1', $mysql = '127.0.0.1', + $keycard = '127.0.0.1', $redis = '127.0.0.1', $solr = '127.0.0.1', ) { @@ -17,6 +18,10 @@ ip => $mysql, } + host { 'keycard': + ip => $keycard, + } + host { 'redis': ip => $redis, } diff --git a/manifests/profile/fulcrum/mysql.pp b/manifests/profile/fulcrum/mysql.pp index 470851bfc..28bb5107e 100644 --- a/manifests/profile/fulcrum/mysql.pp +++ b/manifests/profile/fulcrum/mysql.pp @@ -7,32 +7,51 @@ class nebula::profile::fulcrum::mysql ( String $fedora_password, String $fulcrum_password, - String $checkpoint_password, String $shibd_password, + String $root_password, ) { - include nebula::profile::mysql - mysql::db { 'fedora': - user => 'fedora', - password => $fedora_password, - host => 'localhost', + # Install and configure mysql server + ensure_packages(['mariadb-common','mariadb-server', 'mariadb-client']) + +# at some point need to do equivalent to `mysql_install_db --user=mysql --ldata=/var/lib/mysql` + + service { 'mysqld': + enable => true, + ensure => running, + require => Package['mariadb-server'], + } + + file { "/etc/mysql/conf.d": + ensure => "directory" } - mysql::db { 'fulcrum': - user => 'fulcrum', - password => $fulcrum_password, - host => 'localhost', + file { "/etc/mysql/my.cnf": + owner => "mysql", group => "mysql", + content => template('nebula/mysql/my.cnf.erb'), + notify => Service["mysqld"], + require => Package["mariadb-server"], } - mysql::db { 'checkpoint': - user => 'checkpoint', - password => $checkpoint_password, - host => 'localhost', + exec { "set-mysql-password": + unless => "mysqladmin -uroot -p$root_password status", + path => ["/bin", "/usr/bin"], + command => "mysqladmin -uroot password $root_password", + require => Service["mysqld"], } - mysql::db { 'shibd': - user => 'shibd', - password => $shibd_password, - host => 'localhost', + $dbs = [['fedora', 'fedora', $fedora_password], ['fulcrum', 'fulcrum', $fulcrum_password], + ['checkpoint', 'fulcrum', $fulcrum_password], ['shibd', 'shibd', $shibd_password]] + + $dbs.each |$db| { + $name = $db[0] + $user = $db[1] + $password = $db[2] + exec { "create-${name}-db": + unless => "/usr/bin/mysql -u${user} -p${password} ${name}", + command => "/usr/bin/mysql -uroot -p${root_password} -e \"create database ${name}; grant all on ${name}.* to ${user}@localhost identified by '${password}';\"", + require => Service["mysqld"], + } } + } diff --git a/manifests/profile/fulcrum/nginx.pp b/manifests/profile/fulcrum/nginx.pp index 0c6474efe..1be068c59 100644 --- a/manifests/profile/fulcrum/nginx.pp +++ b/manifests/profile/fulcrum/nginx.pp @@ -197,6 +197,6 @@ proto => 'tcp', dport => 443, state => 'NEW', - jump => 'accept', + action => 'accept', } } diff --git a/manifests/profile/fulcrum/perl.pp b/manifests/profile/fulcrum/perl.pp new file mode 100644 index 000000000..5795e4638 --- /dev/null +++ b/manifests/profile/fulcrum/perl.pp @@ -0,0 +1,37 @@ +# The perl profile is needed for monitor_pl to work, but it pulls in a +# ton of stuff. We should probably allow for different haproxy http checks +# for a service, and eliminate the perl/monitor_pl dependency here. + +class nebula::profile::fulcrum::perl ( + Hash $hosts = {} +) { + + include nebula::profile::www_lib::perl + + create_resources('host',$hosts) + + include nebula::profile::www_lib::apache::base + include nebula::profile::www_lib::apache::fulcrum + + cron { + default: + user => 'root', + ; + + 'purge apache access logs 1/2': + hour => 1, + minute => 7, + command => '/usr/bin/find /var/log/apache2 -type f -mtime +14 -name "*log*" -exec /bin/rm {} \; > /dev/null 2>&1', + ; + + 'purge apache access logs 2/2': + hour => 1, + minute => 17, + command => '/usr/bin/find /var/log/apache2 -type f -mtime +2 -name "*log*" ! -name "*log*gz" -exec /usr/bin/pigz {} \; > /dev/null 2>&1', + require => Package['pigz'], + ; + } + + ensure_packages(['pigz']) + +} diff --git a/manifests/profile/fulcrum/shibboleth.pp b/manifests/profile/fulcrum/shibboleth.pp index e50ad152e..6e7b244df 100644 --- a/manifests/profile/fulcrum/shibboleth.pp +++ b/manifests/profile/fulcrum/shibboleth.pp @@ -7,8 +7,8 @@ class nebula::profile::fulcrum::shibboleth { ensure_packages([ 'unixodbc', - 'shibboleth-sp2-common', - 'shibboleth-sp2-utils', + 'shibboleth-sp-common', + 'shibboleth-sp-utils', 'mariadb-unixodbc', ]) @@ -52,7 +52,7 @@ ensure => 'running', enable => true, hasrestart => true, - require => [Package['shibboleth-sp2-utils'], Package['mariadb-unixodbc']] + require => [Package['shibboleth-sp-utils'], Package['mariadb-unixodbc']] } service { 'shibauthorizer.socket': diff --git a/manifests/profile/shibboleth.pp b/manifests/profile/shibboleth.pp index 4fd307a61..47e9f5971 100644 --- a/manifests/profile/shibboleth.pp +++ b/manifests/profile/shibboleth.pp @@ -35,7 +35,7 @@ [ 'shibboleth-sp-common', 'shibboleth-sp-utils', - 'odbc-mariadb' + 'mariadb-unixodbc' ]: } @@ -50,7 +50,7 @@ ensure => 'running', enable => true, hasrestart => true, - require => [Package['shibboleth-sp-utils'], Package['odbc-mariadb']] + require => [Package['shibboleth-sp-utils'], Package['mariadb-unixodbc']] } file { '/etc/odbcinst.ini': diff --git a/manifests/profile/solr.pp b/manifests/profile/solr.pp index 3262b84a1..f84c65d76 100644 --- a/manifests/profile/solr.pp +++ b/manifests/profile/solr.pp @@ -19,10 +19,17 @@ ) { $jdk_version = lookup('nebula::jdk_version') - ensure_packages(["openjdk-${jdk_version}-jre-headless",'solr','lsof']) + ensure_packages(["temurin-${jdk_version}-jre",'solr','lsof']) + + class { 'nebula::profile::openjdk_java': + jdk_packages => ["temurin-${jdk_version}-jre"], + default_jdk => "temurin-${jdk_version}-jre", + base_alternative => "/usr/lib/jvm/temurin-${jdk_version}-jre-amd64/bin/java", + java_alternative => "temurin-${jdk_version}-jre-amd64", + } # Note: Along with variables above these are used in erb files also. - $java_home = "/usr/lib/jvm/java-${jdk_version}-openjdk-amd64/jre" + $java_home = "/usr/lib/jvm/temurin-${jdk_version}-jre-amd64" $solr_bin = '/opt/solr/bin/solr' nebula::usergroup { 'solr': } @@ -53,6 +60,11 @@ ; } + file { "/etc/environment": + content => inline_template("JAVA_HOME=${java_home}") + } + + file { '/etc/systemd/system/solr.service': owner => 'root', group => 'root', diff --git a/manifests/profile/www_lib/dependencies.pp b/manifests/profile/www_lib/dependencies.pp index d36564e74..9c13c1ade 100644 --- a/manifests/profile/www_lib/dependencies.pp +++ b/manifests/profile/www_lib/dependencies.pp @@ -17,7 +17,7 @@ 'git', 'emacs', 'imagemagick', - "openjdk-${jdk_version}-jre", + "temurin-${jdk_version}-jre", ] ) diff --git a/manifests/role/fulcrum/standalone.pp b/manifests/role/fulcrum/standalone.pp index 33465bbf2..5adc1dc66 100644 --- a/manifests/role/fulcrum/standalone.pp +++ b/manifests/role/fulcrum/standalone.pp @@ -7,15 +7,21 @@ # This is desiged to manage a Debian Server that hosts the Fulcrum project, with all of the dependencies and services included. class nebula::role::fulcrum::standalone { + include nebula::role::minimum include nebula::profile::ruby include nebula::profile::fulcrum::base include nebula::profile::fulcrum::hosts + include nebula::profile::fulcrum::mounts + include nebula::profile::fulcrum::symlinks include nebula::profile::fulcrum::app - include nebula::profile::fulcrum::fedora include nebula::profile::fulcrum::logrotate - include nebula::profile::fulcrum::mysql include nebula::profile::fulcrum::redis - include nebula::profile::fulcrum::shibboleth + include nebula::profile::fulcrum::perl + include nebula::profile::fulcrum::solr + include nebula::profile::fulcrum::mysql + + include nebula::profile::fulcrum::shibboleth + include nebula::profile::fulcrum::fedora } diff --git a/spec/classes/profile/solr_spec.rb b/spec/classes/profile/solr_spec.rb index 0f408244c..03d74743e 100644 --- a/spec/classes/profile/solr_spec.rb +++ b/spec/classes/profile/solr_spec.rb @@ -14,7 +14,7 @@ # Packages [ - 'openjdk-8-jre-headless', + 'temurin-11-jre', 'solr', 'lsof', ].each do |package| diff --git a/spec/fixtures/hiera/default.yaml b/spec/fixtures/hiera/default.yaml index 729fb7db5..56bd4826f 100644 --- a/spec/fixtures/hiera/default.yaml +++ b/spec/fixtures/hiera/default.yaml @@ -163,7 +163,7 @@ umich::networks::private_blocks: nebula::profile::falcon::cid: default-invalid-cid nebula::profile::tsm::servername: tsmserver nebula::profile::tsm::serveraddress: tsm.default.invalid -nebula::jdk_version: '8' +nebula::jdk_version: '11' nebula::profile::kubelet::kubelet_version: default.invalid diff --git a/spec/fixtures/hiera/fulcrum.yaml b/spec/fixtures/hiera/fulcrum.yaml index 3c72280ce..92aac4d25 100644 --- a/spec/fixtures/hiera/fulcrum.yaml +++ b/spec/fixtures/hiera/fulcrum.yaml @@ -1,4 +1,5 @@ nebula::profile::mysql::password: changeme +nebula::profile::fulcrum::mysql::root_password: changeme nebula::profile::fulcrum::mysql::fedora_password: changeme nebula::profile::fulcrum::mysql::fulcrum_password: changeme nebula::profile::fulcrum::mysql::checkpoint_password: changeme diff --git a/templates/mysql/my.cnf.erb b/templates/mysql/my.cnf.erb new file mode 100644 index 000000000..583783795 --- /dev/null +++ b/templates/mysql/my.cnf.erb @@ -0,0 +1,30 @@ +# The MariaDB configuration file +# +# The MariaDB/MySQL tools read configuration files in the following order: +# 0. "/etc/mysql/my.cnf" symlinks to this file, reason why all the rest is read. +# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults, +# 2. "/etc/mysql/conf.d/*.cnf" to set global options. +# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options. +# 4. "~/.my.cnf" to set user-specific options. +# +# If the same option is defined multiple times, the last one will apply. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. +# +# If you are new to MariaDB, check out https://mariadb.com/kb/en/basic-mariadb-articles/ + +# +# This group is read both by the client and the server +# use it for options that affect everything +# +[client-server] +# Port or socket location where to connect +# port = 3306 +socket = /run/mysqld/mysqld.sock + +# Import all .cnf files from configuration directory +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ + diff --git a/templates/profile/fulcrum/fedora.env.erb b/templates/profile/fulcrum/fedora.env.erb index 9616d5de5..1f2d54095 100644 --- a/templates/profile/fulcrum/fedora.env.erb +++ b/templates/profile/fulcrum/fedora.env.erb @@ -1,4 +1,5 @@ CATALINA_BASE="/opt/fedora" +JAVA_HOME="<%= @java_home %>" JAVA_OPTS="-Djava.awt.headless=true \ -Djava.io.tmpdir=/tmp/fedora \ -Xmx8g \ diff --git a/templates/profile/fulcrum/fedora.service.erb b/templates/profile/fulcrum/fedora.service.erb index 39b860b05..1c35e9b2b 100644 --- a/templates/profile/fulcrum/fedora.service.erb +++ b/templates/profile/fulcrum/fedora.service.erb @@ -5,7 +5,7 @@ Description=Apache Tomcat running Fedora Repository User=fulcrum Group=fulcrum EnvironmentFile=-/etc/default/fedora -ExecStart=/usr/share/tomcat8/bin/catalina.sh run +ExecStart=/usr/share/tomcat9/bin/catalina.sh run [Install] WantedBy=multi-user.target